From the December 2004 issue of Investment Advisor • Subscribe!

December 1, 2004

Homeland Security

Hackers and identity thieves are more numerous and smarter than ever. Here's how you can help protect your clients

An elderly professional couple recently applied for a credit card, in this case from a major oil company, and, to their great surprise, the request was turned down. They have a net worth of well over a million dollars, have always paid their bills on time, and couldn't imagine a reason for the rejection. Then came a follow-up letter from one of the credit bureaus indicating that the bureau had reported to the oil company a judgment filed against the Maryland couple by SBC Communications in Michigan six years earlier for unpaid bills totaling around $600.

Luckily, the couple had recently become clients of Peter Winer, a planner with Winer & Jones in Lutherville, Maryland, who makes identity theft a major topic of conversation with every client. "It's part of my normal process," he says. "I put together an 'identity theft kit' that I provide to every client." Winer points out that his kit is composed strictly of material in the public domain and available from the Federal Trade Commission and other sources.

Once Winer was informed of the situation with the credit card, he jumped into action. "I got my identity theft kit out, and filled out the letters to all three credit bureaus. They sent them in. We filled out the identity theft affidavits. We filed police reports and we were able to get most of it resolved. They're still not able to get the credit card. This is six months later and I don't think it's been totally removed from their credit report yet. This is the only case I've had where someone was a victim, but with most of my clients I try to do everything we can for prevention."

Building awareness of the problem and taking a proactive approach to confronting it should be part of every advisor's client service. Winer's approach includes discussing his three-part identity theft kit with each client. The first part, "prevention and detection," covers what Winer sees as the two most important issues: shredding documents and having a current credit report. "The second section is about what to do if you're a victim. Mostly I skim over that with my clients and say, 'Hopefully we'll never need this, but it's here if you do,'" Winer explains. The final component is a tracking report for credit bureau requests. Under one of the provisions of the Fair and Accurate Credit Transactions Act of 2003, signed into law by President Bush last year, as of December 1, 2004, everyone is entitled to a free credit report from each of the three major credit bureaus every year. Winer's tracking report is a spreadsheet that allows clients to track when they request a credit report and when it is received, so they can follow up a year later and get another copy.

Among his new clients, Winer says awareness of the problem of identity theft is high. "The big problem is they just don't know what to do about it. They hear about it, they read about it, they see the Citibank commercials [humorous ones highlighting the issue]. Some of them have shredders, but beyond that, it's sort of this nebulous threat that's out there, but most people aren't sure just what to do."

A Fast-Growing Crime

By now most Americans are aware that identity theft is a problem, but unless they or someone close to them has actually experienced it, they probably don't know how big a problem. According to the Federal Trade Commission, there were 9.9 million victims of identity theft in 2002, the most recent year for which figures are available, with a cost to businesses and consumers of almost $53 billion. The FTC also notes that on average it takes a full year before the victim realizes their identity has been lifted. According to the FBI, identity theft is one of the fastest growing crimes on the criminal landscape. A recent study by the Identity Theft Resource Center, a national non-profit organization based in San Diego, estimates that the average identity theft case costs the victim $16,000 in cash and forces them to miss more than 600 hours of work as they attempt to reestablish their names. On its Web site (www.idtheftcenter.org), the ITRC breaks down identity theft into four types:

Financial Identity Theft--which usually involves using the victim's name and Social Security number to apply for telephone service, credit cards and loans, or to lease cars or apartments.

Criminal Identity Theft--where the criminal will provide the victim's personal information when stopped by law enforcement officers. Any penalties, and the eventual arrest warrant, will be in the name of the person named in the citation.

Identity Cloning--where an impostor uses the victim's personal information and good credit history to establish a new life.

Business or Commercial Identity Theft--where a criminal opens checking accounts or credit cards in the name of a targeted business, which remains blissfully unaware until the collection notices start arriving.

Go Phish

Like so many other aspects of modern life, identity theft has gone high tech. Just about anyone who has an e-mail account has probably been offered bait by some potential scam artist on a "phishing" expedition. Rather than mining the ocean, these phishers use e-mail and the Internet to cast their nets far and wide. The bait might be an offer of anywhere from several hundred thousand to a few million dollars for letting a Nigerian you've never met transfer a huge sum of money he can't get out of the country into your bank account. Lately, it's more likely to be an e-mail or pop-up message seemingly from a legitimate business or organization, such as this recently received e-mail supposedly sent from Citibank, with the subject "Identity Theft Solutions."

The message, with Citibank logo, reads:

"Dear Citibank Customer:

Recently there have been a large number of identity theft attempts targeting Citibank customers. In order to safeguard your account, we require that you confirm your banking details.

This process is mandatory, if not completed within the nearest time, your account may be subject to temporary suspension."

This particular scam used Citibank as the front, but SunTrust, eBay, and various Internet service providers have also been victimized. Consumers who take the bait are usually directed to a Web site that looks legitimate, but is actually used to steal personal and financial data.

In a time when more and more clients rely on e-mail messages and the Internet to keep track of their investments and to handle many of their transactions, it's imperative for advisors to stress the importance of computer security. "I ask for a lot of information from clients as we do reviews," notes Mark Ferris, an advisor in Old Saybrook, Connecticut. "I always say, do not e-mail things like mortgage balances, credit card balances, or beneficiary Social Security numbers. You can leave it on voicemail or fax.

They're relatively secure. But you've got to avoid the temptation to send stuff by e-mail, even attachments."

Ferris also stresses the importance of protecting your computer from spyware. He notes that most of it has relatively benign marketing motives, but there are programs that attempt to hijack a computer's CPU for use as a remote spam server and others that can capture personal data that the user thinks is being relayed to a secure site.

Robbed the Old-Fashioned Way

While cyberattacks are the latest weapon in the identity thief's arsenal, even in the 21st century, tried-and-true con games and outright stealing continue to work pretty well. Resourceful identity thieves can get your clients' personal information in a number of ways. "Dumpster diving," which, as it sounds, entails going through Dumpsters and trashcans to collect personal information, is among the simplest, and most effective, methods, but there are others. Credit card numbers are sometimes copied or memorized by sales clerks and waiters, or even captured by electronic "skimmers," which can be installed on legitimate terminals by unscrupulous employees for later downloading.

Sometimes it's that guy watching you punch your code numbers into an ATM or public phone.

Advisor Ferris had recent experience with both. A client who began noticing unauthorized charges on his American Express card ultimately determined his account number was skimmed at some point while he was on vacation in Puerto Rico. Ferris himself had his long distance card's number lifted when he stopped to make a call at a rest area on the New Jersey Turnpike. When calls to Nairobi started appearing on his bill, he knew there was something wrong.

Other problems can arise when tax notices, financial account statements, and other bills are stolen right from the victim's mailbox while he remains totally unaware. That's suspected in a case recently dealt with by Jim Murphy, a CPA and financial planner with Lucas, Horsfall, Murphy and Pindroh in Pasadena, California, who unfortunately is more familiar with the problem of identity theft than he would like. "We've had three clients within the last eight or nine months where we've had to deal with it," he says. "One case involved what we believe was mail theft. The [thieves] went out and started opening up mortgage accounts and credit card accounts and we didn't find out about it for eight or nine months, when our client went to refinance their house. At that point, we stepped in and notified the credit bureaus and got everything knocked off pretty quickly."

He also has an elderly client who had a credit card taken, probably by one of her caregivers. Some $50,000 in charges were run up on that card (which were absorbed by Merrill Lynch, the card sponsor) and an attempt was made to fraudulently obtain a MasterCard in the same name. Unfortunately, it's not only strangers that your clients need to worry about, as Ted Feight, an advisor in Lansing, Michigan, can certainly attest. Feight has clients who suffered losses that he estimates at around $170,000 at the hands of their granddaughter and her husband.

The story he tells illustrates the wisdom of the saying, "The easiest way to make things difficult for your children is to make things too easy." When the young couple had no money to go on a honeymoon, the grandparents supplied a credit card which they didn't get back until bills much larger than the honeymoon had accrued. Then the young man wanted to open his own business and wanted them to give him $100,000. Feight advised his clients not to back the business venture, but couldn't talk them out of co-signing a $25,000 loan, which with interest and penalties ended up costing the grandparents about $50,000. "Then this year we found out that he'd taken out an American Express and a Visa card in the grandfather's name. They ran up another $100,000 on those credit cards before the grandparents knew what had happened."

In helping his clients deal with this crisis, Feight had them listen to a tape version of The Millionaire Next Door, "especially to the sections on how to take care of your children and how not to. They were afraid that if they didn't pay the bills or if they went to the police that they wouldn't be allowed to see their great-grandchildren," he explains. "Ultimately, they realized that unless they wanted the great-grandchildren to be like their parents, they had to do something about it now. They went to the police and filed charges." Feight estimates that the experience cost his clients up to $175,000 in out-of-pocket costs at a time when the market and their investments were declining.

Ultimately, helping to protect against identity theft is bound to become just another way that advisors attempt to help preserve the financial health of their clients. As is the case with our physical health, it's an area where an ounce of prevention is much more important than a ton of cure.

Staff editor Bob Keane, who shreds every piece of mail that enters his home, can be reached at bkeane@ia-mag.com.

Reprints Discuss this story
This is where the comments go.